Changeset 13799

Timestamp:

04/23/2024 09:39:11 PM (12 months ago)

Author:

imath

Message:

Members component: improve PHP code standards using WPCS

See #7228 (trunk)

Location:

trunk/src/bp-members

Files:

• bp-members-admin.php (modified) (2 diffs)
• bp-members-blocks.php (modified) (1 diff)
• bp-members-functions.php (modified) (3 diffs)
• bp-members-notifications.php (modified) (1 diff)
• bp-members-template.php (modified) (68 diffs)
• bp-members-widgets.php (modified) (1 diff)
• classes/class-bp-core-members-template.php (modified) (1 diff)
• classes/class-bp-core-members-widget.php (modified) (1 diff)
• classes/class-bp-core-recently-active-widget.php (modified) (1 diff)
• classes/class-bp-core-whos-online-widget.php (modified) (1 diff)
• classes/class-bp-members-admin.php (modified) (21 diffs)
• classes/class-bp-members-invitations-list-table.php (modified) (6 diffs)
• classes/class-bp-members-list-table.php (modified) (8 diffs)
• classes/class-bp-members-ms-list-table.php (modified) (8 diffs)
• screens/register.php (modified) (1 diff)

trunk/src/bp-members/bp-members-admin.php

@@ -146 +146 @@
 
     ?>
-    <div id="signup-info-modal-<?php echo $signup_object->id; ?>" style="display:none;">
+    <div id="signup-info-modal-<?php echo esc_attr( $signup_object->id ); ?>" style="display:none;">
         <h1><?php printf( '%1$s (%2$s)', esc_html( $signup_object->user_name ), esc_html( $signup_object->user_email ) ); ?></h1>
 
@@ -166 +166 @@
                     <tr>
                         <td class="column-fields"><?php echo esc_html( $signup_field_labels[ $profile_field_id ] ); ?></td>
-                        <td><?php echo bp_members_admin_format_xprofile_field_for_display( $field_value ); ?></td>
+                        <td>
+                            <?php
+                            // phpcs:ignore WordPress.Security.EscapeOutput
+                            echo bp_members_admin_format_xprofile_field_for_display( $field_value );
+                            ?>
+                        </td>
                     </tr>
                 <?php endforeach; else: ?>

trunk/src/bp-members/bp-members-blocks.php

@@ -369 +369 @@
     );
 
-    // Include the common JS template.
+    // Include the common JS template (Escaping is done there).
+    // phpcs:ignore WordPress.Security.EscapeOutput
     echo bp_get_dynamic_template_part( 'assets/widgets/dynamic-members.php' );
 

trunk/src/bp-members/bp-members-functions.php

@@ -1137 +1137 @@
         // Don't send the warning more than once per pageload.
         if ( false === $warned ) {
-            _doing_it_wrong( 'get_user_meta( $user_id, \'last_activity\' )', __( 'User last_activity data is no longer stored in usermeta. Use bp_get_user_last_activity() instead.', 'buddypress' ), '2.0.0' );
+            _doing_it_wrong( 'get_user_meta( $user_id, \'last_activity\' )', esc_html__( 'User last_activity data is no longer stored in usermeta. Use bp_get_user_last_activity() instead.', 'buddypress' ), '2.0.0' );
             $warned = true;
         }
@@ -1172 +1172 @@
 function _bp_update_user_meta_last_activity_warning( $meta_id, $object_id, $meta_key, $meta_value ) {
     if ( 'last_activity' === $meta_key ) {
-        _doing_it_wrong( 'update_user_meta( $user_id, \'last_activity\' )', __( 'User last_activity data is no longer stored in usermeta. Use bp_update_user_last_activity() instead.', 'buddypress' ), '2.0.0' );
+        _doing_it_wrong( 'update_user_meta( $user_id, \'last_activity\' )', esc_html__( 'User last_activity data is no longer stored in usermeta. Use bp_update_user_last_activity() instead.', 'buddypress' ), '2.0.0' );
         bp_update_user_last_activity( $object_id, $meta_value );
     }
@@ -2686 +2686 @@
  */
 function bp_member_type_tax_name() {
-    echo bp_get_member_type_tax_name();
+    echo esc_html( bp_get_member_type_tax_name() );
 }
     /**

trunk/src/bp-members/bp-members-notifications.php

@@ -241 +241 @@
             <tr>
                 <th class="icon"></th>
-                <th class="title"><?php _ex( 'Members', 'Member settings on notification settings page', 'buddypress' ) ?></th>
-                <th class="yes"><?php _e( 'Yes', 'buddypress' ) ?></th>
-                <th class="no"><?php _e( 'No', 'buddypress' )?></th>
+                <th class="title"><?php echo esc_html_x( 'Members', 'Member settings on notification settings page', 'buddypress' ); ?></th>
+                <th class="yes"><?php esc_html_e( 'Yes', 'buddypress' ) ?></th>
+                <th class="no"><?php esc_html_e( 'No', 'buddypress' )?></th>
             </tr>
         </thead>

trunk/src/bp-members/bp-members-template.php

@@ -19 +19 @@
  */
 function bp_profile_slug() {
-    echo bp_get_profile_slug();
+    echo esc_url( bp_get_profile_slug() );
 }
     /**
@@ -46 +46 @@
  */
 function bp_members_slug() {
-    echo bp_get_members_slug();
+    echo esc_url( bp_get_members_slug() );
 }
     /**
@@ -73 +73 @@
  */
 function bp_members_root_slug() {
-    echo bp_get_members_root_slug();
+    echo esc_url( bp_get_members_root_slug() );
 }
     /**
@@ -216 +216 @@
  */
 function bp_signup_slug() {
-    echo bp_get_signup_slug();
+    echo esc_url( bp_get_signup_slug() );
 }
     /**
@@ -249 +249 @@
  */
 function bp_activate_slug() {
-    echo bp_get_activate_slug();
+    echo esc_url( bp_get_activate_slug() );
 }
     /**
@@ -282 +282 @@
  */
 function bp_members_invitations_slug() {
-    echo bp_get_members_invitations_slug();
+    echo esc_url( bp_get_members_invitations_slug() );
 }
     /**
@@ -490 +490 @@
  */
 function bp_members_pagination_count() {
-    echo bp_get_members_pagination_count();
+    echo esc_html( bp_get_members_pagination_count() );
 }
     /**
@@ -559 +559 @@
  */
 function bp_members_pagination_links() {
+    // Escaping is done in WordPress's `paginate_links()` function.
+    // phpcs:ignore WordPress.Security.EscapeOutput
     echo bp_get_members_pagination_links();
 }
@@ -589 +591 @@
  */
 function bp_member_user_id() {
-    echo bp_get_member_user_id();
+    echo intval( bp_get_member_user_id() );
 }
     /**
@@ -625 +627 @@
  */
 function bp_member_class( $classes = array() ) {
+    // phpcs:ignore WordPress.Security.EscapeOutput
     echo bp_get_member_class( $classes );
 }
@@ -673 +676 @@
         if ( $member_types = bp_get_member_type( $members_template->member->id, false ) ) {
             foreach ( $member_types as $member_type ) {
-                $classes[] = sprintf( 'member-type-%s', esc_attr( $member_type ) );
+                $classes[] = sprintf( 'member-type-%s', $member_type );
             }
         }
@@ -682 +685 @@
          * @since 1.7.0
          *
-         * @param string $classes Classes to be added to the HTML element.
-         */
-        $classes = apply_filters( 'bp_get_member_class', $classes );
+         * @param array $classes Classes to be added to the HTML element.
+         */
+        $classes = array_map( 'sanitize_html_class', apply_filters( 'bp_get_member_class', $classes ) );
         $classes = array_merge( $classes, array() );
         $retval  = 'class="' . join( ' ', $classes ) . '"';
@@ -697 +700 @@
  */
 function bp_member_user_nicename() {
-    echo bp_get_member_user_nicename();
+    echo esc_html( bp_get_member_user_nicename() );
 }
     /**
@@ -727 +730 @@
  */
 function bp_member_user_login() {
-    echo bp_get_member_user_login();
+    echo esc_html( bp_get_member_user_login() );
 }
     /**
@@ -757 +760 @@
  */
 function bp_member_user_email() {
-    echo bp_get_member_user_email();
+    echo esc_html( bp_get_member_user_email() );
 }
     /**
@@ -811 +814 @@
  */
 function bp_member_avatar( $args = '' ) {
+    // phpcs:disable WordPress.Security.EscapeOutput
 
     /**
@@ -822 +826 @@
      */
     echo apply_filters( 'bp_member_avatar', bp_get_member_avatar( $args ), $args );
+    // phpcs:enable
 }
     /**
@@ -950 +955 @@
  */
 function bp_member_name() {
+    // phpcs:disable WordPress.Security.EscapeOutput
 
     /**
@@ -959 +965 @@
      */
     echo apply_filters( 'bp_member_name', bp_get_member_name() );
+    // phpcs:enable
 }
     /**
@@ -1017 +1024 @@
  */
 function bp_member_last_active( $args = array() ) {
-    echo bp_get_member_last_active( $args );
+    echo esc_html( bp_get_member_last_active( $args ) );
 }
     /**
@@ -1091 +1098 @@
  */
 function bp_member_latest_update( $args = '' ) {
+    // phpcs:ignore WordPress.Security.EscapeOutput
     echo bp_get_member_latest_update( $args );
 }
@@ -1207 +1215 @@
  */
 function bp_member_profile_data( $args = '' ) {
+    // phpcs:ignore WordPress.Security.EscapeOutput
     echo bp_get_member_profile_data( $args );
 }
@@ -1315 +1324 @@
  */
 function bp_member_registered( $args = array() ) {
-    echo bp_get_member_registered( $args );
+    echo esc_html( bp_get_member_registered( $args ) );
 }
     /**
@@ -1369 +1378 @@
  */
 function bp_member_random_profile_data() {
-    if ( bp_is_active( 'xprofile' ) ) { ?>
-        <?php $random_data = xprofile_get_random_profile_data( bp_get_member_user_id(), true ); ?>
+    if ( bp_is_active( 'xprofile' ) ) {
+        $random_data = xprofile_get_random_profile_data( bp_get_member_user_id(), true );
+        // phpcs:disable WordPress.Security.EscapeOutput
+        ?>
             <strong><?php echo wp_filter_kses( $random_data[0]->name ) ?></strong>
             <?php echo wp_filter_kses( $random_data[0]->value ) ?>
-    <?php }
+        <?php
+        // phpcs:enable
+    }
 }
 
@@ -1414 +1427 @@
     $search_form_html = '<form action="" method="get" id="search-members-form">
         <label for="members_search"><input type="text" name="' . esc_attr( $query_arg ) . '" id="members_search" placeholder="'. esc_attr( $search_value ) .'" /></label>
-        <input type="submit" id="members_search_submit" name="members_search_submit" value="' . __( 'Search', 'buddypress' ) . '" />
+        <input type="submit" id="members_search_submit" name="members_search_submit" value="' . esc_html__( 'Search', 'buddypress' ) . '" />
     </form>';
 
-    /**
-     * Filters the Members component search form.
-     *
-     * @since 1.9.0
-     *
-     * @param string $search_form_html HTML markup for the member search form.
-     */
-    echo apply_filters( 'bp_directory_members_search_form', $search_form_html );
+    // phpcs:ignore WordPress.Security.EscapeOutput
+    echo apply_filters(
+        /**
+         * Filters the Members component search form.
+         *
+         * @since 1.9.0
+         *
+         * @param string $search_form_html HTML markup for the member search form.
+         */
+        'bp_directory_members_search_form',
+        $search_form_html
+    );
 }
 
@@ -1433 +1450 @@
  */
 function bp_total_site_member_count() {
-    echo bp_get_total_site_member_count();
+    echo esc_html( bp_get_total_site_member_count() );
 }
     /**
@@ -1502 +1519 @@
         }
 
-        // Echo out the final list item.
-        echo apply_filters_ref_array( 'bp_get_loggedin_user_nav_' . $nav_item->css_id, array( '<li id="li-nav-' . $nav_item->css_id . '" ' . $selected . '><a id="my-' . $nav_item->css_id . '" href="' . $nav_item->link . '">' . $nav_item->name . '</a></li>', &$nav_item ) );
+        // phpcs:ignore WordPress.Security.EscapeOutput
+        echo apply_filters_ref_array( 'bp_get_loggedin_user_nav_' . $nav_item->css_id, array( '<li id="li-nav-' . esc_attr( $nav_item->css_id ) . '" ' . $selected . '><a id="my-' . esc_attr( $nav_item->css_id ) . '" href="' . esc_url( $nav_item->link ) . '">' . esc_html( $nav_item->name ) . '</a></li>', &$nav_item ) );
     }
 
     // Always add a log out list item to the end of the navigation.
-    $logout_link = '<li><a id="wp-logout" href="' .  wp_logout_url( bp_get_root_url() ) . '">' . __( 'Log Out', 'buddypress' ) . '</a></li>';
-
+    $logout_link = '<li><a id="wp-logout" href="' .  esc_url( wp_logout_url( bp_get_root_url() ) ) . '">' . esc_html__( 'Log Out', 'buddypress' ) . '</a></li>';
+
+    // phpcs:ignore WordPress.Security.EscapeOutput
     echo apply_filters( 'bp_logout_nav_link', $logout_link );
 }
@@ -1630 +1648 @@
         }
 
-        /**
-         * Filters the navigation markup for the displayed user.
-         *
-         * This is a dynamic filter that is dependent on the navigation tab component being rendered.
-         *
-         * @since 1.1.0
-         *
-         * @param string $value         Markup for the tab list item including link.
-         * @param array  $user_nav_item Array holding parts used to construct tab list item.
-         *                              Passed by reference.
-         */
-        echo apply_filters_ref_array( 'bp_get_displayed_user_nav_' . $user_nav_item->css_id, array( '<li id="' . $user_nav_item->css_id . '-personal-li" ' . $selected . '><a id="user-' . $user_nav_item->css_id . '" href="' . $link . '">' . $user_nav_item->name . '</a></li>', &$user_nav_item ) );
+        // phpcs:ignore WordPress.Security.EscapeOutput
+        echo apply_filters_ref_array(
+            /**
+             * Filters the navigation markup for the displayed user.
+             *
+             * This is a dynamic filter that is dependent on the navigation tab component being rendered.
+             *
+             * @since 1.1.0
+             *
+             * @param string $value         Markup for the tab list item including link.
+             * @param array  $user_nav_item Array holding parts used to construct tab list item.
+             *                              Passed by reference.
+             */
+            'bp_get_displayed_user_nav_' . $user_nav_item->css_id,
+            array(
+                '<li id="' . esc_attr( $user_nav_item->css_id ) . '-personal-li" ' . $selected . '><a id="user-' . esc_attr( $user_nav_item->css_id ) . '" href="' . esc_url( $link ) . '">' . wp_kses( $user_nav_item->name, array( 'span' => array( 'class' => true ) ) ) . '</a></li>',
+                &$user_nav_item
+            )
+        );
     }
 }
@@ -1671 +1696 @@
  */
 function bp_loggedin_user_avatar( $args = '' ) {
+    // phpcs:ignore WordPress.Security.EscapeOutput
     echo bp_get_loggedin_user_avatar( $args );
 }
@@ -1730 +1756 @@
  */
 function bp_displayed_user_avatar( $args = '' ) {
+    // phpcs:ignore WordPress.Security.EscapeOutput
     echo bp_get_displayed_user_avatar( $args );
 }
@@ -1785 +1812 @@
  */
 function bp_displayed_user_email() {
-    echo bp_get_displayed_user_email();
+    echo esc_html( bp_get_displayed_user_email() );
 }
     /**
@@ -1824 +1851 @@
  */
 function bp_last_activity( $user_id = 0 ) {
-    echo bp_get_last_activity( $user_id );
+    echo esc_html( bp_get_last_activity( $user_id ) );
 }
     /**
@@ -1861 +1888 @@
  */
 function bp_user_firstname() {
-    echo bp_get_user_firstname();
+    echo esc_html( bp_get_user_firstname() );
 }
     /**
@@ -1993 +2020 @@
      * @param string $url Generated link for the displayed user's profile.
      */
-    return apply_filters( 'bp_displayed_user_domain',$url );
+    return apply_filters( 'bp_displayed_user_domain', $url );
 }
 
@@ -2089 +2116 @@
  */
 function bp_displayed_user_fullname() {
-    echo bp_get_displayed_user_fullname();
+    echo esc_html( bp_get_displayed_user_fullname() );
 }
     /**
@@ -2116 +2143 @@
      * @since 1.0.0
      */
-    function bp_user_fullname() { echo bp_get_displayed_user_fullname(); }
+    function bp_user_fullname() { echo esc_html( bp_get_displayed_user_fullname() ); }
 
 
@@ -2125 +2152 @@
  */
 function bp_loggedin_user_fullname() {
-    echo bp_get_loggedin_user_fullname();
+    echo esc_html( bp_get_loggedin_user_fullname() );
 }
     /**
@@ -2153 +2180 @@
  */
 function bp_displayed_user_username() {
-    echo bp_get_displayed_user_username();
+    echo esc_html( bp_get_displayed_user_username() );
 }
     /**
@@ -2187 +2214 @@
  */
 function bp_loggedin_user_username() {
-    echo bp_get_loggedin_user_username();
+    echo esc_html( bp_get_loggedin_user_username() );
 }
     /**
@@ -2221 +2248 @@
  */
 function bp_current_member_type_message() {
-    echo bp_get_current_member_type_message();
+    echo wp_kses( bp_get_current_member_type_message(), array( 'strong' => true ) );
 }
     /**
@@ -2254 +2281 @@
  */
 function bp_member_type_directory_link( $member_type = '' ) {
+    // phpcs:ignore WordPress.Security.EscapeOutput
     echo bp_get_member_type_directory_link( $member_type );
 }
@@ -2302 +2330 @@
  */
 function bp_member_type_list( $user_id = 0, $r = array() ) {
+    // phpcs:ignore WordPress.Security.EscapeOutput
     echo bp_get_member_type_list( $user_id, $r );
 }
@@ -2577 +2606 @@
  */
 function bp_signup_username_value() {
-    echo bp_get_signup_username_value();
+    echo esc_html( bp_get_signup_username_value() );
 }
     /**
@@ -2609 +2638 @@
  */
 function bp_signup_email_value() {
-    echo bp_get_signup_email_value();
+    echo esc_html( bp_get_signup_email_value() );
 }
     /**
@@ -2647 +2676 @@
  */
 function bp_signup_with_blog_value() {
-    echo bp_get_signup_with_blog_value();
+    echo intval( bp_get_signup_with_blog_value() );
 }
     /**
@@ -2677 +2706 @@
  */
 function bp_signup_blog_url_value() {
-    echo bp_get_signup_blog_url_value();
+    echo esc_url( bp_get_signup_blog_url_value() );
 }
     /**
@@ -2709 +2738 @@
  */
 function bp_signup_subdomain_base() {
-    echo bp_signup_get_subdomain_base();
+    echo esc_url( bp_signup_get_subdomain_base() );
 }
     /**
@@ -2745 +2774 @@
  */
 function bp_signup_blog_title_value() {
-    echo bp_get_signup_blog_title_value();
+    echo esc_html( bp_get_signup_blog_title_value() );
 }
     /**
@@ -2777 +2806 @@
  */
 function bp_signup_blog_privacy_value() {
-    echo bp_get_signup_blog_privacy_value();
+    echo esc_html( bp_get_signup_blog_privacy_value() );
 }
     /**
@@ -2809 +2838 @@
  */
 function bp_signup_avatar_dir_value() {
-    echo bp_get_signup_avatar_dir_value();
+    echo esc_html( bp_get_signup_avatar_dir_value() );
 }
     /**
@@ -2822 +2851 @@
 
         // Check if signup_avatar_dir is passed.
-        if ( !empty( $_POST['signup_avatar_dir'] ) )
+        if ( ! empty( $_POST['signup_avatar_dir'] ) ) {
             $signup_avatar_dir = $_POST['signup_avatar_dir'];
 
-        // If not, check if global is set.
-        elseif ( !empty( $bp->signup->avatar_dir ) )
+            // If not, check if global is set.
+        } elseif ( ! empty( $bp->signup->avatar_dir ) ) {
             $signup_avatar_dir = $bp->signup->avatar_dir;
 
-        // If not, set false.
-        else
+            // If not, set false.
+        } else {
             $signup_avatar_dir = false;
+        }
 
         /**
@@ -2872 +2902 @@
  */
 function bp_current_signup_step() {
-    echo bp_get_current_signup_step();
+    echo esc_html( bp_get_current_signup_step() );
 }
     /**
@@ -2895 +2925 @@
  */
 function bp_signup_avatar( $args = '' ) {
+    // phpcs:ignore WordPress.Security.EscapeOutput
     echo bp_get_signup_avatar( $args );
 }
@@ -2924 +2955 @@
         );
 
-        extract( $r, EXTR_SKIP );
-
         $signup_avatar_dir = bp_get_signup_avatar_dir_value();
 
@@ -2935 +2964 @@
                 'avatar_dir' => 'avatars/signups',
                 'type'       => 'full',
-                'width'      => $size,
-                'height'     => $size,
-                'alt'        => $alt,
-                'class'      => $class,
+                'width'      => $r['size'],
+                'height'     => $r['size'],
+                'alt'        => $r['alt'],
+                'class'      => $r['class'],
             ) );
 
@@ -2962 +2991 @@
             $gravatar_url    = apply_filters( 'bp_gravatar_url', '//www.gravatar.com/avatar/' );
             $md5_lcase_email = md5( strtolower( bp_get_signup_email_value() ) );
-            $gravatar_img    = '<img src="' . $gravatar_url . $md5_lcase_email . '?d=' . $default_grav . '&amp;s=' . $size . '" width="' . $size . '" height="' . $size . '" alt="' . $alt . '" class="' . $class . '" />';
+            $gravatar_img    = '<img src="' . $gravatar_url . $md5_lcase_email . '?d=' . $default_grav . '&amp;s=' . $r['size'] . '" width="' . esc_attr( $r['size'] ) . '" height="' . esc_attr( $r['size'] ) . '" alt="' . esc_attr( $r['alt'] ) . '" class="' . esc_attr( $r['class'] ) . '" />';
         }
 
@@ -2984 +3013 @@
  */
 function bp_signup_allowed() {
+    // phpcs:ignore WordPress.Security.EscapeOutput
     echo bp_get_signup_allowed();
 }
@@ -3081 +3111 @@
  */
 function bp_members_activity_feed() {
-    if ( !bp_is_active( 'activity' ) || !bp_is_user() )
-        return; ?>
-
-    <link rel="alternate" type="application/rss+xml" title="<?php bloginfo( 'name' ) ?> | <?php bp_displayed_user_fullname() ?> | <?php _e( 'Activity RSS Feed', 'buddypress' ) ?>" href="<?php bp_member_activity_feed_link() ?>" />
-
-<?php
+    if ( ! bp_is_active( 'activity' ) || ! bp_is_user() ) {
+        return;
+    }
+    // phpcs:disable WordPress.Security.EscapeOutput
+    ?>
+    <link rel="alternate" type="application/rss+xml" title="<?php bloginfo( 'name' ) ?> | <?php bp_displayed_user_fullname() ?> | <?php esc_attr_e( 'Activity RSS Feed', 'buddypress' ) ?>" href="<?php bp_member_activity_feed_link() ?>" />
+    <?php
+    // phpcs:enable
 }
 add_action( 'bp_head', 'bp_members_activity_feed' );
@@ -3170 +3202 @@
  */
 function bp_avatar_delete_link() {
-    echo bp_get_avatar_delete_link();
+    echo esc_url( bp_get_avatar_delete_link() );
 }
     /**
@@ -3312 +3344 @@
  */
 function bp_members_invitations_pagination_count() {
-    echo bp_get_members_invitations_pagination_count();
+    echo esc_html( bp_get_members_invitations_pagination_count() );
 }
     /**
@@ -3352 +3384 @@
  */
 function bp_members_invitations_pagination_links() {
+    // phpcs:ignore WordPress.Security.EscapeOutput
     echo bp_get_members_invitations_pagination_links();
 }
@@ -3388 +3421 @@
     }
 
-    /**
-     * Use this filter to sanitize the output.
-     *
-     * @since 8.0.0
-     *
-     * @param int|string $value    The value for the requested property.
-     * @param string     $property The name of the requested property.
-     * @param string     $context  The context of display.
-     */
-    echo apply_filters( 'bp_the_members_invitation_property', bp_get_the_members_invitation_property( $property ), $property, $context );
+    // phpcs:ignore WordPress.Security.EscapeOutput
+    echo apply_filters(
+        /**
+         * Use this filter to sanitize the output.
+         *
+         * @since 8.0.0
+         *
+         * @param int|string $value    The value for the requested property.
+         * @param string     $property The name of the requested property.
+         * @param string     $context  The context of display.
+         */
+        'bp_the_members_invitation_property',
+        bp_get_the_members_invitation_property( $property ),
+        $property,
+        $context
+    );
 }
     /**
@@ -3452 +3491 @@
  */
 function bp_the_members_invitation_action_links( $args = '' ) {
+    // phpcs:ignore WordPress.Security.EscapeOutput
     echo bp_get_the_members_invitation_action_links( $args );
 }
@@ -3508 +3548 @@
  */
 function bp_the_members_invitations_resend_link( $user_id = 0 ) {
+    // phpcs:ignore WordPress.Security.EscapeOutput
     echo bp_get_the_members_invitation_delete_link( $user_id );
 }
@@ -3527 +3568 @@
         }
 
-        $retval = sprintf( '<a href="%1$s" class="resend secondary confirm bp-tooltip">%2$s</a>', esc_url( bp_get_the_members_invitations_resend_url( $user_id ) ), __( 'Resend', 'buddypress' ) );
+        $retval = sprintf( '<a href="%1$s" class="resend secondary confirm bp-tooltip">%2$s</a>', esc_url( bp_get_the_members_invitations_resend_url( $user_id ) ), esc_html__( 'Resend', 'buddypress' ) );
 
         /**
@@ -3599 +3640 @@
  */
 function bp_the_members_invitations_delete_link( $user_id = 0 ) {
+    // phpcs:ignore WordPress.Security.EscapeOutput
     echo bp_get_the_members_invitation_delete_link( $user_id );
 }
@@ -3696 +3738 @@
  */
 function bp_members_invitations_list_invites_permalink( $user_id = 0 ) {
-    echo bp_get_members_invitations_list_invites_permalink( $user_id );
+    echo esc_url( bp_get_members_invitations_list_invites_permalink( $user_id ) );
 }
     /**
@@ -3734 +3776 @@
  */
 function bp_members_invitations_send_invites_permalink( $user_id = 0 ) {
-    echo bp_get_members_invitations_send_invites_permalink( $user_id );
+    echo esc_url( bp_get_members_invitations_send_invites_permalink( $user_id ) );
 }
     /**

trunk/src/bp-members/bp-members-widgets.php

@@ -12 +12 @@
 defined( 'ABSPATH' ) || exit;
 
-_deprecated_file( basename( __FILE__ ), '12.0.0', '', __( 'BuddyPress does not include Legacy Widgets anymore, you can restore it using the BP Classic plugin', 'buddypress' ) );
+_deprecated_file( basename( __FILE__ ), '12.0.0', '', esc_html__( 'BuddyPress does not include Legacy Widgets anymore, you can restore it using the BP Classic plugin', 'buddypress' ) );

trunk/src/bp-members/classes/class-bp-core-members-template.php

@@ -128 +128 @@
         // Backward compatibility with old method of passing arguments.
         if ( ! is_array( $args[0] ) || count( $args ) > 1 ) {
-            _deprecated_argument( __METHOD__, '7.0.0', sprintf( __( 'Arguments passed to %1$s should be in an associative array. See the inline documentation at %2$s for more details.', 'buddypress' ), __METHOD__, __FILE__ ) );
+            _deprecated_argument( __METHOD__, '7.0.0', sprintf( esc_html__( 'Arguments passed to %1$s should be in an associative array. See the inline documentation at %2$s for more details.', 'buddypress' ), __METHOD__, __FILE__ ) );
 
             $old_args_keys = array(

trunk/src/bp-members/classes/class-bp-core-members-widget.php

@@ -12 +12 @@
 defined( 'ABSPATH' ) || exit;
 
-_deprecated_file( basename( __FILE__ ), '12.0.0', '', __( 'BuddyPress does not include Legacy Widgets anymore, you can restore it using the BP Classic plugin', 'buddypress' ) );
+_deprecated_file( basename( __FILE__ ), '12.0.0', '', esc_html__( 'BuddyPress does not include Legacy Widgets anymore, you can restore it using the BP Classic plugin', 'buddypress' ) );
 
 /**

trunk/src/bp-members/classes/class-bp-core-recently-active-widget.php

@@ -12 +12 @@
 defined( 'ABSPATH' ) || exit;
 
-_deprecated_file( basename( __FILE__ ), '12.0.0', '', __( 'BuddyPress does not include Legacy Widgets anymore, you can restore it using the BP Classic plugin', 'buddypress' ) );
+_deprecated_file( basename( __FILE__ ), '12.0.0', '', esc_html__( 'BuddyPress does not include Legacy Widgets anymore, you can restore it using the BP Classic plugin', 'buddypress' ) );
 
 /**

trunk/src/bp-members/classes/class-bp-core-whos-online-widget.php

@@ -12 +12 @@
 defined( 'ABSPATH' ) || exit;
 
-_deprecated_file( basename( __FILE__ ), '12.0.0', '', __( 'BuddyPress does not include Legacy Widgets anymore, you can restore it using the BP Classic plugin', 'buddypress' ) );
+_deprecated_file( basename( __FILE__ ), '12.0.0', '', esc_html__( 'BuddyPress does not include Legacy Widgets anymore, you can restore it using the BP Classic plugin', 'buddypress' ) );
 
 /**

trunk/src/bp-members/classes/class-bp-members-admin.php

@@ -923 +923 @@
             if ( current_user_can( 'edit_user', $user->ID ) ) : ?>
 
-                <a class="nav-tab<?php echo esc_attr( $wp_active ); ?>" href="<?php echo esc_url( $wordpress_url );?>"><?php _e( 'Profile', 'buddypress' ); ?></a>
+                <a class="nav-tab<?php echo esc_attr( $wp_active ); ?>" href="<?php echo esc_url( $wordpress_url );?>"><?php esc_html_e( 'Profile', 'buddypress' ); ?></a>
 
             <?php endif; ?>
 
-            <a class="nav-tab<?php echo esc_attr( $bp_active ); ?>" href="<?php echo esc_url( $community_url );?>"><?php _e( 'Extended Profile', 'buddypress' ); ?></a>
+            <a class="nav-tab<?php echo esc_attr( $bp_active ); ?>" href="<?php echo esc_url( $community_url );?>"><?php esc_html_e( 'Extended Profile', 'buddypress' ); ?></a>
         </h2>
 
@@ -950 +950 @@
         // Can current user edit this profile?
         if ( ! $this->member_can_edit( $user_id ) ) {
-            wp_die( __( 'You cannot edit the requested user.', 'buddypress' ) );
+            wp_die( esc_html__( 'You cannot edit the requested user.', 'buddypress' ) );
         }
 
@@ -1248 +1248 @@
             <?php else : ?>
 
-                <p><?php
+                <p>
+                    <?php
                     printf(
                         '%1$s <a href="%2$s">%3$s</a>',
-                        __( 'No user found with this ID.', 'buddypress' ),
+                        esc_html__( 'No user found with this ID.', 'buddypress' ),
                         esc_url( bp_get_admin_url( 'users.php' ) ),
-                        __( 'Go back and try again.', 'buddypress' )
+                        esc_html__( 'Go back and try again.', 'buddypress' )
                     );
-                ?></p>
+                    ?>
+                </p>
 
             <?php endif; ?>
@@ -1325 +1327 @@
                             <?php
                             /* translators: %s: registration date */
-                            printf( __( 'Registered on: %s', 'buddypress' ), '<strong>' . $date . '</strong>' );
+                            printf( esc_html__( 'Registered on: %s', 'buddypress' ), '<strong>' . esc_html( $date ) . '</strong>' );
                             ?>
                         </span>
@@ -1360 +1362 @@
             <?php
             /* translators: %s: member name */
-            printf( __( '%s has been marked as a spammer. All BuddyPress data associated with the user has been removed', 'buddypress' ), esc_html( bp_core_get_user_displayname( $user->ID ) ) );
+            printf( esc_html__( '%s has been marked as a spammer. All BuddyPress data associated with the user has been removed', 'buddypress' ), esc_html( bp_core_get_user_displayname( $user->ID ) ) );
             ?>
         </p>
@@ -1396 +1398 @@
                 <?php
                 /* translators: %s: date */
-                printf( __( 'Last active: %1$s', 'buddypress' ), '<strong>' . $date . '</strong>' );
+                printf( esc_html__( 'Last active: %1$s', 'buddypress' ), '<strong>' . esc_html( $date ) . '</strong>' );
                 ?>
             </li>
@@ -1435 +1437 @@
         <div class="avatar">
 
-            <?php echo bp_core_fetch_avatar( array(
-                'item_id' => $user->ID,
-                'object'  => 'user',
-                'type'    => 'full',
-                'title'   => $user->display_name
-            ) ); ?>
+            <?php
+            // Escaping is done in `bp_core_fetch_avatar()`.
+            // phpcs:ignore WordPress.Security.EscapeOutput
+            echo bp_core_fetch_avatar(
+                array(
+                    'item_id' => $user->ID,
+                    'object'  => 'user',
+                    'type'    => 'full',
+                    'title'   => $user->display_name
+                )
+            );
+            ?>
 
             <?php if ( bp_get_user_has_avatar( $user->ID ) ) :
@@ -2171 +2179 @@
                     $notice = array(
                         'class'   => 'error',
-                        'message' => esc_html__( 'There was a problem sending the activation emails. Please try again.', 'buddypress' ),
+                        'message' => __( 'There was a problem sending the activation emails. Please try again.', 'buddypress' ),
                     );
                     break;
@@ -2178 +2186 @@
                     $notice = array(
                         'class'   => 'error',
-                        'message' => esc_html__( 'There was a problem activating accounts. Please try again.', 'buddypress' ),
+                        'message' => __( 'There was a problem activating accounts. Please try again.', 'buddypress' ),
                     );
                     break;
@@ -2185 +2193 @@
                     $notice = array(
                         'class'   => 'error',
-                        'message' => esc_html__( 'There was a problem deleting sign-ups. Please try again.', 'buddypress' ),
+                        'message' => __( 'There was a problem deleting sign-ups. Please try again.', 'buddypress' ),
                     );
                     break;
@@ -2225 +2233 @@
             <?php endif; ?>
 
-                <p><?php echo $notice['message']; ?></p>
+                <p><?php echo esc_html( $notice['message'] ); ?></p>
 
                 <?php if ( ! empty( $_REQUEST['notactivated'] ) || ! empty( $_REQUEST['notdeleted'] ) || ! empty( $_REQUEST['notsent'] ) ) :?>
@@ -2307 +2315 @@
 
         <div class="wrap">
-            <h1 class="wp-heading-inline"><?php _e( 'Users', 'buddypress' ); ?></h1>
+            <h1 class="wp-heading-inline"><?php esc_html_e( 'Users', 'buddypress' ); ?></h1>
 
             <?php if ( current_user_can( 'create_users' ) ) : ?>
@@ -2320 +2328 @@
 
             if ( $usersearch ) {
-                printf( '<span class="subtitle">' . __( 'Search results for &#8220;%s&#8221;', 'buddypress' ) . '</span>', esc_html( $usersearch ) );
+                printf( '<span class="subtitle">' . esc_html__( 'Search results for &#8220;%s&#8221;', 'buddypress' ) . '</span>', esc_html( $usersearch ) );
             }
             ?>
@@ -2493 +2501 @@
                                 <tr>
                                     <td class="column-fields"><?php esc_html_e( 'Email', 'buddypress' ); ?></td>
-                                    <td><?php echo sanitize_email( $signup->user_email ); ?></td>
+                                    <td><?php echo esc_html( $signup->user_email ); ?></td>
                                 </tr>
 
@@ -2501 +2509 @@
                                         <tr>
                                             <td class="column-fields"><?php echo esc_html( $fdata[ $pid ] ); ?></td>
-                                            <td><?php echo bp_members_admin_format_xprofile_field_for_display( $field_value ); ?></td>
+                                            <td>
+                                                <?php
+                                                // phpcs:ignore WordPress.Security.EscapeOutput
+                                                echo bp_members_admin_format_xprofile_field_for_display( $field_value );
+                                                ?>
+                                            </td>
                                         </tr>
 
@@ -2540 +2553 @@
                             <?php
                             /* translators: %s: notification date */
-                            printf( esc_html__( 'Last notified: %s', 'buddypress'), $last_notified );
+                            printf( esc_html__( 'Last notified: %s', 'buddypress'), esc_html( $last_notified ) );
                             ?>
 
@@ -2595 +2608 @@
         $id_name = 'bottom' === $which ? 'bp_change_type2' : 'bp_change_type';
 
-        $types = bp_get_member_types( array(), 'objects' ); ?>
-
-        <label class="screen-reader-text" for="<?php echo $id_name; ?>"><?php _e( 'Change member type to&hellip;', 'buddypress' ) ?></label>
+        $types = bp_get_member_types( array(), 'objects' );
+
+        // phpcs:disable WordPress.Security.EscapeOutput
+        ?>
+        <label class="screen-reader-text" for="<?php echo $id_name; ?>"><?php esc_html_e( 'Change member type to&hellip;', 'buddypress' ) ?></label>
         <select name="<?php echo $id_name; ?>" id="<?php echo $id_name; ?>" style="display:inline-block;float:none;">
-            <option value=""><?php _e( 'Change member type to&hellip;', 'buddypress' ) ?></option>
+            <option value=""><?php esc_html_e( 'Change member type to&hellip;', 'buddypress' ) ?></option>
 
             <?php foreach( $types as $type ) : ?>
@@ -2607 +2622 @@
             <?php endforeach; ?>
 
-            <option value="remove_member_type"><?php _e( 'No Member Type', 'buddypress' ) ?></option>
+            <option value="remove_member_type"><?php esc_html_e( 'No Member Type', 'buddypress' ) ?></option>
 
         </select>
         <?php
+        // phpcs:enable
+
         wp_nonce_field( 'bp-bulk-users-change-type-' . bp_loggedin_user_id(), 'bp-bulk-users-change-type-nonce' );
         submit_button( __( 'Change', 'buddypress' ), 'button', 'bp_change_member_type', false );
@@ -3133 +3150 @@
             <?php endif; ?>
 
-                <p><?php echo $notice['message']; ?></p>
+                <p><?php echo esc_html( $notice['message'] ); ?></p>
             </div>
 
@@ -3209 +3226 @@
             <?php
             if ( $usersearch ) {
-                printf( '<span class="subtitle">' . __( 'Search results for &#8220;%s&#8221;', 'buddypress' ) . '</span>', esc_html( $usersearch ) );
+                printf( '<span class="subtitle">' . esc_html__( 'Search results for &#8220;%s&#8221;', 'buddypress' ) . '</span>', esc_html( $usersearch ) );
             }
             ?>
@@ -3347 +3364 @@
                                     <?php
                                     /* translators: %s: notification date */
-                                    printf( esc_html__( 'Last notified: %s', 'buddypress'), $last_notified );
+                                    printf( esc_html__( 'Last notified: %s', 'buddypress'), esc_html( $last_notified ) );
                                     ?>
                                 </p>

trunk/src/bp-members/classes/class-bp-members-invitations-list-table.php

@@ -259 +259 @@
             );
 
-            /* translators: %s: url to site settings */
-            printf( __( 'Invitations are not allowed. %s', 'buddypress' ), $link );
+            printf(
+                /* translators: %s: url to site settings */
+                esc_html__( 'Invitations are not allowed. %s', 'buddypress' ),
+                // The link has been escaped at line 255.
+                // phpcs:ignore WordPress.Security.EscapeOutput
+                $link
+            );
         }
 
@@ -288 +293 @@
         $style = '';
         foreach ( $this->items as $invite ) {
-            $style = ( ' class="alternate"' == $style ) ? '' : ' class="alternate"';
+            $style = 'alt' === $style ? '' : 'alt';
+
+            // Escapes are made into `self::single_row()`.
+            // phpcs:ignore WordPress.Security.EscapeOutput
             echo "\n\t" . $this->single_row( $invite, $style );
         }
@@ -307 +315 @@
      */
     public function single_row( $invite = null, $style = '', $role = '', $numposts = 0 ) {
-        echo '<tr' . $style . ' id="invitation-' . esc_attr( $invite->id ) . '">';
+        if ( '' === $style ) {
+            echo '<tr id="signup-' . esc_attr( $invite->id ) . '">';
+        } else {
+            echo '<tr class="alternate" id="signup-' . esc_attr( $invite->id ) . '">';
+        }
+
+        // BuddyPress relies on WordPress's `WP_Users_List_Table::single_row_columns()`.
+        // phpcs:ignore WordPress.Security.EscapeOutput
         echo $this->single_row_columns( $invite );
         echo '</tr>';
@@ -324 +339 @@
             <?php
                 /* translators: accessibility text */
-                printf( esc_html__( 'Select invitation: %s', 'buddypress' ), $invite->id );
+                printf( esc_html__( 'Select invitation: %s', 'buddypress' ), intval( $invite->id ) );
             ?>
         </label>
@@ -396 +411 @@
         $actions = apply_filters( 'bp_members_invitations_management_row_actions', $actions, $invite );
 
+        // BuddyPress relies on WordPress's `WP_Users_List_Table::row_actions()`.
+        // phpcs:ignore WordPress.Security.EscapeOutput
         echo $this->row_actions( $actions );
     }
@@ -426 +443 @@
         $user_link = bp_members_get_user_url( $invite->inviter_id );
 
-        printf( '%1$s <strong><a href="%2$s" class="edit">%3$s</a></strong><br/>', $avatar, esc_url( $user_link ), esc_html( $inviter->user_login ) );
+        printf(
+            '%1$s <strong><a href="%2$s" class="edit">%3$s</a></strong><br/>',
+            wp_kses(
+                $avatar,
+                array(
+                    'img' => array(
+                        'alt'    => true,
+                        'src'    => true,
+                        'srcset' => true,
+                        'class'  => true,
+                        'height' => true,
+                        'width'  => true,
+                    )
+                )
+            ),
+            esc_url( $user_link ),
+            esc_html( $inviter->user_login )
+        );
     }
 

trunk/src/bp-members/classes/class-bp-members-list-table.php

@@ -216 +216 @@
             }
 
-            /* translators: %s: url to site settings */
-            printf( __( 'Registration is disabled. %s', 'buddypress' ), $link );
+            printf(
+                /* translators: %s: url to site settings */
+                esc_html__( 'Registration is disabled. %s', 'buddypress' ),
+                // The link has been escaped at line 213 & 215.
+                // phpcs:ignore WordPress.Security.EscapeOutput
+                $link
+            );
         }
 
@@ -249 +254 @@
             }
 
-            $style = ( ' class="alternate"' == $style ) ? '' : ' class="alternate"';
+            $style = 'alt' === $style ? '' : 'alt';
+
+            // Escapes are made into `self::single_row()`.
+            // phpcs:ignore WordPress.Security.EscapeOutput
             echo "\n\t" . $this->single_row( $signup_object, $style );
         }
@@ -268 +276 @@
      */
     public function single_row( $signup_object = null, $style = '', $role = '', $numposts = 0 ) {
-        echo '<tr' . $style . ' id="signup-' . esc_attr( $signup_object->id ) . '">';
+        if ( '' === $style ) {
+            echo '<tr id="signup-' . esc_attr( $signup_object->id ) . '">';
+        } else {
+            echo '<tr class="alternate" id="signup-' . esc_attr( $signup_object->id ) . '">';
+        }
+
+        // BuddyPress relies on WordPress's `WP_Users_List_Table::single_row_columns()`.
+        // phpcs:ignore WordPress.Security.EscapeOutput
         echo $this->single_row_columns( $signup_object );
         echo '</tr>';
@@ -282 +297 @@
     public function column_cb( $signup_object = null ) {
     ?>
-        <label class="screen-reader-text" for="signup_<?php echo intval( $signup_object->id ); ?>"><?php
-            /* translators: accessibility text */
-            printf( esc_html__( 'Select user: %s', 'buddypress' ), $signup_object->user_login );
-        ?></label>
+        <label class="screen-reader-text" for="signup_<?php echo intval( $signup_object->id ); ?>">
+            <?php
+            printf(
+                /* translators: accessibility text */
+                esc_html__( 'Select user: %s', 'buddypress' ),
+                esc_html( $signup_object->user_login )
+            );
+            ?>
+        </label>
         <input type="checkbox" id="signup_<?php echo intval( $signup_object->id ) ?>" name="allsignups[]" value="<?php echo esc_attr( $signup_object->id ) ?>" />
         <?php
@@ -330 +350 @@
         );
 
-        echo $avatar . sprintf( '<strong><a href="%1$s" class="edit">%2$s</a></strong><br/>', esc_url( $activate_link ), $signup_object->user_login );
+        echo wp_kses(
+            $avatar,
+            array(
+                'img' => array(
+                    'alt'    => true,
+                    'src'    => true,
+                    'srcset' => true,
+                    'class'  => true,
+                    'height' => true,
+                    'width'  => true,
+                )
+            )
+        );
+        printf( '<strong><a href="%1$s" class="edit">%2$s</a></strong><br/>', esc_url( $activate_link ), esc_html( $signup_object->user_login ) );
 
         $actions = array();
 
-        $actions['activate'] = sprintf( '<a href="%1$s">%2$s</a>', esc_url( $activate_link ), __( 'Activate', 'buddypress' ) );
-        $actions['resend']   = sprintf( '<a href="%1$s">%2$s</a>', esc_url( $email_link ), __( 'Email', 'buddypress' ) );
+        $actions['activate'] = sprintf( '<a href="%1$s">%2$s</a>', esc_url( $activate_link ), esc_html__( 'Activate', 'buddypress' ) );
+        $actions['resend']   = sprintf( '<a href="%1$s">%2$s</a>', esc_url( $email_link ), esc_html__( 'Email', 'buddypress' ) );
 
         if ( current_user_can( 'delete_users' ) ) {
-            $actions['delete'] = sprintf( '<a href="%1$s" class="delete">%2$s</a>', esc_url( $delete_link ), __( 'Delete', 'buddypress' ) );
+            $actions['delete'] = sprintf( '<a href="%1$s" class="delete">%2$s</a>', esc_url( $delete_link ), esc_html__( 'Delete', 'buddypress' ) );
         }
 
@@ -351 +384 @@
         $actions = apply_filters( 'bp_members_ms_signup_row_actions', $actions, $signup_object );
 
+        // BuddyPress relies on WordPress's `WP_Users_List_Table::row_actions()`.
+        // phpcs:ignore WordPress.Security.EscapeOutput
         echo $this->row_actions( $actions );
     }
@@ -407 +442 @@
      */
     public function column_registered( $signup_object = null ) {
-        echo mysql2date( 'Y/m/d g:i:s a', $signup_object->registered );
+        echo esc_html( mysql2date( 'Y/m/d g:i:s a', $signup_object->registered ) );
     }
 
@@ -419 +454 @@
     public function column_date_sent( $signup_object = null ) {
         if ( $signup_object->count_sent > 0 ) {
-            echo mysql2date( 'Y/m/d g:i:s a', $signup_object->date_sent );
+            echo esc_html( mysql2date( 'Y/m/d g:i:s a', $signup_object->date_sent ) );
         } else {
-            $message = __( 'Not yet notified', 'buddypress' );
+            $message = esc_html__( 'Not yet notified', 'buddypress' );
 
             /**

trunk/src/bp-members/classes/class-bp-members-ms-list-table.php

@@ -205 +205 @@
             }
 
-            /* translators: %s: url to site settings */
-            printf( __( 'Registration is disabled. %s', 'buddypress' ), $link );
+            printf(
+                /* translators: %s: url to site settings */
+                esc_html__( 'Registration is disabled. %s', 'buddypress' ),
+                // The link has been escaped at line 204.
+                // phpcs:ignore WordPress.Security.EscapeOutput
+                $link
+            );
         }
     }
@@ -237 +242 @@
             }
 
-            $style = ( ' class="alternate"' == $style ) ? '' : ' class="alternate"';
+            $style = 'alt' === $style ? '' : 'alt';
+
+            // Escapes are made into `self::single_row()`.
+            // phpcs:ignore WordPress.Security.EscapeOutput
             echo "\n\t" . $this->single_row( $signup_object, $style );
         }
@@ -253 +261 @@
      */
     public function single_row( $signup_object = null, $style = '' ) {
-        echo '<tr' . $style . ' id="signup-' . esc_attr( $signup_object->id ) . '">';
+        if ( '' === $style ) {
+            echo '<tr id="signup-' . esc_attr( $signup_object->id ) . '">';
+        } else {
+            echo '<tr class="alternate" id="signup-' . esc_attr( $signup_object->id ) . '">';
+        }
+
+        // BuddyPress relies on WordPress's `WP_MS_Users_List_Table::single_row_columns()`.
+        // phpcs:ignore WordPress.Security.EscapeOutput
         echo $this->single_row_columns( $signup_object );
         echo '</tr>';
@@ -281 +296 @@
     public function column_cb( $signup_object = null ) {
     ?>
-        <label class="screen-reader-text" for="signup_<?php echo intval( $signup_object->id ); ?>"><?php printf(
-            /* translators: accessibility text */
-            esc_html__( 'Select user: %s', 'buddypress' ), $signup_object->user_login );
-        ?></label>
+        <label class="screen-reader-text" for="signup_<?php echo intval( $signup_object->id ); ?>">
+            <?php
+            printf(
+                /* translators: accessibility text */
+                esc_html__( 'Select user: %s', 'buddypress' ),
+                esc_html( $signup_object->user_login )
+            );
+            ?>
+        </label>
         <input type="checkbox" id="signup_<?php echo intval( $signup_object->id ) ?>" name="allsignups[]" value="<?php echo esc_attr( $signup_object->id ) ?>" />
         <?php
@@ -329 +349 @@
         );
 
-        echo $avatar . sprintf( '<strong><a href="%1$s" class="edit">%2$s</a></strong><br/>', esc_url( $activate_link ), $signup_object->user_login );
+        echo wp_kses(
+            $avatar,
+            array(
+                'img' => array(
+                    'alt'    => true,
+                    'src'    => true,
+                    'srcset' => true,
+                    'class'  => true,
+                    'height' => true,
+                    'width'  => true,
+                )
+            )
+        );
+        printf( '<strong><a href="%1$s" class="edit">%2$s</a></strong><br/>', esc_url( $activate_link ), esc_html( $signup_object->user_login ) );
 
         $actions = array();
 
-        $actions['activate'] = sprintf( '<a href="%1$s">%2$s</a>', esc_url( $activate_link ), __( 'Activate', 'buddypress' ) );
-        $actions['resend']   = sprintf( '<a href="%1$s">%2$s</a>', esc_url( $email_link    ), __( 'Email',    'buddypress' ) );
+        $actions['activate'] = sprintf( '<a href="%1$s">%2$s</a>', esc_url( $activate_link ), esc_html__( 'Activate', 'buddypress' ) );
+        $actions['resend']   = sprintf( '<a href="%1$s">%2$s</a>', esc_url( $email_link    ), esc_html__( 'Email',    'buddypress' ) );
 
         if ( current_user_can( 'delete_users' ) ) {
-            $actions['delete'] = sprintf( '<a href="%1$s" class="delete">%2$s</a>', esc_url( $delete_link ), __( 'Delete', 'buddypress' ) );
+            $actions['delete'] = sprintf( '<a href="%1$s" class="delete">%2$s</a>', esc_url( $delete_link ), esc_html__( 'Delete', 'buddypress' ) );
         }
 
@@ -343 +376 @@
         $actions = apply_filters( 'bp_members_ms_signup_row_actions', $actions, $signup_object );
 
+        // BuddyPress relies on WordPress's `WP_MS_Users_List_Table::row_actions()`.
+        // phpcs:ignore WordPress.Security.EscapeOutput
         echo $this->row_actions( $actions );
     }
@@ -409 +444 @@
             $date = 'Y/m/d';
         } else {
-            $date = 'Y/m/d \<\b\r \/\> g:i:s a';
-        }
-
-        echo mysql2date( $date, $signup_object->registered ) . "</td>";
+            $date = "Y/m/d \n g:i:s a";
+        }
+
+        echo nl2br( esc_html( mysql2date( $date, $signup_object->registered ) ) ) . "</td>";
     }
 
@@ -430 +465 @@
             $date = 'Y/m/d';
         } else {
-            $date = 'Y/m/d \<\b\r \/\> g:i:s a';
+            $date = "Y/m/d \n g:i:s a";
         }
 
         if ( $signup_object->count_sent > 0 ) {
-            echo mysql2date( $date, $signup_object->date_sent );
+            echo nl2br( esc_html( mysql2date( $date, $signup_object->date_sent ) ) );
         } else {
-            $message = __( 'Not yet notified', 'buddypress' );
+            $message = esc_html__( 'Not yet notified', 'buddypress' );
 
             /**

trunk/src/bp-members/screens/register.php

@@ -198 +198 @@
                  */
                 add_action( 'bp_' . $fieldname . '_errors', function() use ( $error_message, $fieldname ) {
-                    /**
-                     * Filter here to edit the error message about the invalid field value.
-                     *
-                     * @since 1.5.0
-                     * @since 8.0.0 Adds the `$fieldname` parameter.
-                     *
-                     * @param string $value     Error message wrapped in html.
-                     * @param string $fieldname The name of the signup field.
-                     */
-                    echo apply_filters( 'bp_members_signup_error_message', "<div class=\"error\">" . $error_message . "</div>", $fieldname );
+                    echo wp_kses(
+                        /**
+                         * Filter here to edit the error message about the invalid field value.
+                         *
+                         * @since 1.5.0
+                         * @since 8.0.0 Adds the `$fieldname` parameter.
+                         *
+                         * @param string $value     Error message wrapped in html.
+                         * @param string $fieldname The name of the signup field.
+                         */
+                        apply_filters( 'bp_members_signup_error_message', "<div class=\"error\">" . $error_message . "</div>", $fieldname ),
+                        array(
+                            'div' => array( 'class' => true ),
+                        )
+                    );
                 } );
             }